This blog is totally independent and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.

Tuesday, November 04, 2014

Despite All The Assurances It Seems The PCEHR Has Had A Few Holes. Just Typical Of DoH To Not Be Up Front Earlier!

Users accidentally link to someone else's health record.

The Department of Health has been forced to own up to two inadvertent breaches of the national health records system in the past 12 months, the Information Commissioner has revealed.

Legislation underpinning the Personally Controlled Electronic Health Record (PCEHR) demands that the department notifies the Office of the Information Commissioner of any privacy slip-ups that could impact on the integrity of personal medical data stored in the PCEHR system.

In December last year, the department acknowledged to the OAIC that a technical change had introduced a glitch into the system potentially allowing a handful of healthcare providers to access PCEHR user’s personal health notes without authorisation, for a short window of time.

A health spokesperson did not tell iTnews whether or not it thought the files had actually been viewed, but said “the fact that these notes potentially became accessible to healthcare providers is taken as being viewed, regardless of whether these were actually viewed”.

The department added, however that the error was fixed “within a few hours” of being picked up. It still got in touch with a handful of affected users to let them know what had happened.

The second breach took place six months later in May 2014, and saw some users given the option of linking their MyGov accounts to two PCEHR records, their own and that of a spouse or family member.

Receiving data breach notifications

The OAIC received two mandatory data breach notifications under s 75 of the PCEHR Act.

The OAIC was advised by the System Operator of the first data breach in December 2013. This data breach involved a technical change made to the system that meant that healthcare providers could view consumers’ personal health notes. Investigations by the System Operator identified the cause and a technical fix was put in place to prevent further access. The OAIC reviewed the information provided by the System Operator in relation to the breach and determined that the response was appropriate and that no further action was required.

The System Operator notified the OAIC of the second data breach in May 2014. This breach involved consumers logging into their MyGov account and using their identify verification code (IVC) to access their own PCEHR and link their PCEHR to their MyGov account. In some instances they also accidentally set up access to another consumer’s PCEHR while still logged into their own MyGov account, linking that second consumer’s PCEHR to their own MyGov account. This resulted in the landing page of the first consumer’s PCEHR showing two ‘Open your eHealth record’ buttons, which provided links to open both consumers’ PCEHRs. The System Operator advised that containment strategies had been implemented to prevent similar incidents occurring. It should be noted that the cause of the breach was not related to MyGov. The OAIC sought further information from the System Operator about its response to the breach. The OAIC’s consideration of the data breach notification and the further information provided by the System Operator was ongoing at 30 June 2014.

The OAIC liaised with Health about other incidents relating to the PCEHR system which did not meet the criteria for mandatory data breach notifications under the PCEHR Act. In one of these incidents, an email containing a consumer’s IVC and other personal information was sent to the incorrect email address. The email recipient, however, did not have the other information required to access the consumer’s record. The OAIC provided recommendations to the System Operator about how it could reduce the impact of any future incidents of this type. The System Operator advised that it had implemented the OAIC’s recommendations.

The OAIC also sought legal advice from AGS to clarify the threshold for mandatory notification of data breaches.

----- End Extract

There are only two points worth making I reckon.

First why were these leaks not disclosed as soon as they were identified and fixed?

Second is the total lack of apparent use or interest in the PCEHR! If it was actually being used we would see more than eight questions and no complaints!

3 comments:

So no chance my sensitive path and diagnostic information will fall into the wrong hands, upset family Memebers before I can speak with the, and absolute zero chance or this being harvested by those who wish to extort me or my GP and steal my identity. Please dispatch an assisted registration official to me now.